Gatekeeper Deployment (#358)

Added Gatekeeper Deployment MP and CP Cluster
tetratelabs · Mar 7, 2024 · e62101e · e62101e
1 parent a588ce6
commit e62101e
Show file tree

Hide file tree

Showing 12 changed files with 125 additions and 2 deletions.
diff --git a/modules/addons/gatekeeper/main.tf b/modules/addons/gatekeeper/main.tf
@@ -0,0 +1,36 @@
+provider "helm" {
+  kubernetes {
+    host                   = var.k8s_host
+    cluster_ca_certificate = base64decode(var.k8s_cluster_ca_certificate)
+    token                  = var.k8s_client_token
+  }
+}
+
+provider "kubectl" {
+  host                   = var.k8s_host
+  cluster_ca_certificate = base64decode(var.k8s_cluster_ca_certificate)
+  token                  = var.k8s_client_token
+  load_config_file       = false
+}
+
+provider "kubernetes" {
+  host                   = var.k8s_host
+  cluster_ca_certificate = base64decode(var.k8s_cluster_ca_certificate)
+  token                  = var.k8s_client_token
+}
+
+# Gatekeeper Deployment using helm chart
+resource "helm_release" "gatekeeper" {
+  count             = var.gatekeeper_enabled == true ? 1 : 0
+  name              = "gatekeeper"
+  repository        = "https://open-policy-agent.github.io/gatekeeper/charts"
+  chart             = "gatekeeper"
+  version           =  var.gatekeeper_version
+  create_namespace  = true
+  namespace         = "gatekeeper-system"
+  timeout           =  240
+
+  values = [
+    file("${path.module}/manifests/gatekeeper-values.yaml")
+  ]
+}
diff --git a/modules/addons/gatekeeper/manifests/gatekeeper-values.yaml b/modules/addons/gatekeeper/manifests/gatekeeper-values.yaml
@@ -0,0 +1 @@
+replicas: 1
diff --git a/modules/addons/gatekeeper/providers.tf b/modules/addons/gatekeeper/providers.tf
@@ -0,0 +1,8 @@
+terraform {
+  required_providers {
+    kubectl = {
+      source  = "alekc/kubectl"
+      version = "2.0.3"
+    }
+  }
+}
diff --git a/modules/addons/gatekeeper/variable.tf b/modules/addons/gatekeeper/variable.tf
@@ -0,0 +1,18 @@
+variable "cluster_name" {
+}
+
+variable "k8s_host" {
+}
+
+variable "k8s_cluster_ca_certificate" {
+}
+
+variable "k8s_client_token" {
+}
+
+variable "gatekeeper_enabled" {
+}
+
+variable "gatekeeper_version" {
+  default = "3.15.0"
+}
diff --git a/modules/tsb/mp/main.tf b/modules/tsb/mp/main.tf
@@ -130,3 +130,4 @@ data "kubernetes_service" "tsb" {
   }
   depends_on = [time_sleep.wait_240_seconds]
 }
+
diff --git a/modules/tsb/mp/variables.tf b/modules/tsb/mp/variables.tf
@@ -66,4 +66,3 @@ variable "es_cacert" {
 
 
 
-
diff --git a/terraform-advanced.tfvars.json.sample b/terraform-advanced.tfvars.json.sample
@@ -19,6 +19,9 @@
                     },
                     "tsb-monitoring": {
                         "enabled": true
+                    },
+                    "gatekeeper": {
+                        "enabled" : true
                     }
                 }
             }
@@ -41,6 +44,9 @@
                     },
                     "tsb-monitoring": {
                         "enabled": true
+                    },
+                    "gatekeeper": {
+                        "enabled" : true
                     }
                 }
             }
@@ -63,6 +69,9 @@
                     },
                     "tsb-monitoring": {
                         "enabled": true
+                    },
+                    "gatekeeper": {
+                        "enabled" : true
                     }
                 }
             }

diff --git a/terraform-basic.tfvars.json.sample b/terraform-basic.tfvars.json.sample
@@ -9,6 +9,9 @@
                 "addons": {
                     "argocd": {
                         "enabled": true
+                    },
+                    "gatekeeper": {
+                        "enabled" : true
                     }
                 }
             }
@@ -22,6 +25,9 @@
                 "addons": {
                     "argocd": {
                         "enabled": true
+                    },
+                    "gatekeeper": {
+                        "enabled": true
                     }
                 }
             }
@@ -35,6 +41,9 @@
                 "addons": {
                     "argocd": {
                         "enabled": true
+                    },
+                    "gatekeeper": {
+                        "enabled": true
                     }
                 }
             }

diff --git a/tsb/cp/main.tf b/tsb/cp/main.tf
@@ -37,6 +37,15 @@ module "ratelimit" {
   enabled                    = var.ratelimit_enabled
 }
 
+module "gatekeeper" {
+  source                     = "../../modules/addons/gatekeeper"
+  cluster_name               = data.terraform_remote_state.infra.outputs.cluster_name
+  k8s_host                   = data.terraform_remote_state.infra.outputs.host
+  k8s_cluster_ca_certificate = data.terraform_remote_state.infra.outputs.cluster_ca_certificate
+  k8s_client_token           = data.terraform_remote_state.k8s_auth.outputs.token
+  gatekeeper_enabled         = local.cluster.tetrate.management_plane ? false : local.cluster.addons.gatekeeper
+}
+
 module "tsb_cp" {
   source                       = "../../modules/tsb/cp"
   cloud                        = local.cluster.cloud

diff --git a/tsb/cp/variables.tf b/tsb/cp/variables.tf
@@ -9,6 +9,11 @@ variable "cluster" {
       control_plane    = optional(bool)
       management_plane = optional(bool)
     })
+    addons = object({
+      gatekeeper = object({
+        enabled = optional(bool)
+      })     
+    })
     version   = optional(string)
     workspace = string
   })
@@ -21,6 +26,9 @@ locals {
       management_plane = false
     }
     version = "1.27"
+    addons = {
+      gatekeeper = false
+    }
   }
   cluster = {
     cloud  = var.cluster.cloud
@@ -33,6 +41,10 @@ locals {
     }
     version   = coalesce(var.cluster.version, local.cluster_defaults.version)
     workspace = var.cluster.workspace
+    addons = {
+      gatekeeper  = coalesce(var.cluster.addons.gatekeeper.enabled,local.cluster_defaults.addons.gatekeeper)
+    }
+
   }
 }
 

diff --git a/tsb/mp/main.tf b/tsb/mp/main.tf
@@ -30,6 +30,15 @@ module "es" {
   es_version                 = local.tetrate.es_version
 }
 
+module "gatekeeper" {
+  source                     = "../../modules/addons/gatekeeper"
+  cluster_name               = data.terraform_remote_state.infra.outputs.cluster_name
+  k8s_host                   = data.terraform_remote_state.infra.outputs.host
+  k8s_cluster_ca_certificate = data.terraform_remote_state.infra.outputs.cluster_ca_certificate
+  k8s_client_token           = data.terraform_remote_state.k8s_auth.outputs.token
+  gatekeeper_enabled         = local.cluster.addons.gatekeeper
+}
+
 module "tsb_mp" {
   source                       = "../../modules/tsb/mp"
   name_prefix                  = var.name_prefix
@@ -53,4 +62,4 @@ module "tsb_mp" {
   k8s_host                     = data.terraform_remote_state.infra.outputs.host
   k8s_cluster_ca_certificate   = data.terraform_remote_state.infra.outputs.cluster_ca_certificate
   k8s_client_token             = data.terraform_remote_state.k8s_auth.outputs.token
-}
+}
diff --git a/tsb/mp/variables.tf b/tsb/mp/variables.tf
@@ -9,6 +9,11 @@ variable "cluster" {
       control_plane    = optional(bool)
       management_plane = optional(bool)
     })
+    addons = object({
+      gatekeeper = object({
+        enabled = optional(bool)
+      }) 
+    })
     version   = optional(string)
     workspace = string
   })
@@ -21,6 +26,9 @@ locals {
       management_plane = false
     }
     version = "1.27"
+    addons = {
+      gatekeeper = false
+    }
   }
   cluster = {
     cloud  = var.cluster.cloud
@@ -33,6 +41,10 @@ locals {
     }
     version   = coalesce(var.cluster.version, local.cluster_defaults.version)
     workspace = var.cluster.workspace
+    addons = {
+      gatekeeper  = coalesce(var.cluster.addons.gatekeeper.enabled,local.cluster_defaults.addons.gatekeeper)
+    }
+
   }
 }
Original file line number	Diff line number	Diff line change
Expand Up		@@ -130,3 +130,4 @@ data "kubernetes_service" "tsb" {
		}
		depends_on = [time_sleep.wait_240_seconds]
		}